Monday, 15 September 2014

Compromise the security (looking back at the RSA breach)

I had an interesting conversation with family this weekend, where I was talking about securing iCloud using two-step verification.  Someone mentioned that with personal data it's not really important, but from a work perspective (they use to work for a large US company based globally) that RSA tokens protected them.

Back in 2011, RSA was compromised and is pretty much well documented.  As a summary, here's happened:

  • Targeted emails were sent to the HR team at RSA
  • Prior to the compromise only 11 emails were sent, but all of them were caught by the SPAM filtering solution
  • One of these emails were released to the HR team as it looked important
  • When the attachment was opened, it installed malware onto the computer exploiting a vulnerability in an Adobe product
  • With this access, the hackers were able to pivot onto other servers, eventually getting to the token database, allowing them to generate the "secret" code of a token with a specific serial number
This breach is said to have cost RSA $66 million, but beyond the actual costs, there reputation of RSA as a security vendor was brought into question.  It seems that this wasn't the end goal of the hackers, but rather the start to something much more spectacular!

Lockheed Martin is supplies military and aerospace technology to a number of organisations, including the Pentagon.  This in itself would make Lockheed Martin an obvious target for attackers, but as an organisation concerned about security, they used RSA tokens to protect their network.

It would seem that Lockheed Martin were potentially victim to a state-sponsored attack from the Chinese government.  Knowing that the target organisation were protected with RSA tokens, make it difficult to compromise them.  Much easier would be have access to the RSA tokens, or at least the codes it would generate.

I appreciate that it is speculation that the Chinese nation state were behind the attack, but I would suggest that you do an internet search for two images and play "spot the difference":
  • Lockheed Martin F-22
  • Chengdu J-20
After the breach, Lockheed Martin created the Cyber Kill Chain, which shows the various steps of a compromise to your network.  Many security vendors have taken this methodology on board, and their solutions can be seen to help during certain stages of an attack.  I'll blog about this in more detail soon.

No comments:

Post a comment